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Abstract 

Over the past decades, coordination languages have emerged for the 
specification and implementation of interaction protocols for communi- 
cating software components. This class of languages includes Reo, a 
platform for compositional construction of connectors. In recent years, 
many formalisms for describing the behavior of Reo connectors have 
emerged. In this paper, we give an overview of all these classes of 
semantic models. Furthermore, we investigate the expressiveness of 
two more prominent classes, constraint automata and coloring models, 
in detail. 
Keywords: concurrency, coordination, Reo, semantics, constraint 
automata, connector coloring 


1 Introduction 


Over the past decades, coordination languages have emerged for the spec- 
ification and implementation of interaction protocols for communicating 
software components. This class of languages includes Reo [5], a platform 
for compositional construction of connectors. Connectors in Reo serve as 
communication mediums through which components can interact with each 
other. Essentially, Reo connectors impose constraints on the order in which 
components can exchange data items with each other. Although ostensibly 
simple, Reo connectors can describe complex protocols (e.g., a solution 
to the Dining Philosophers problem [6]). Development tools for Reo exist 
as plug-ins for the Eclipse IDE, called the Extensible Coordination Tools 
(Ect),>* including tools for simulation, animation, and verification of Reo 
connectors. 


‘CWI, Amsterdam, the Netherlands. Email: jongmans@cwi.n1 
2CWI, Amsterdam, the Netherlands; LIACS, Leiden, the Netherlands 
3 http://reo.project.cwi.nl 

‘Formerly known as the Eclipse Coordination Tools. 
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Coalgebraic models (Section 3.1) Operational models (Section 3.2) 


Timed data streams Constraint automata 
Record streams Variants of constraint automata 
Timed 
Coloring models (Section 3.3) Probabilistic 
Two colors Continuous-time 
Three colors Quantitative 
Tile models Resource-sensitive timed 
Transactional 
Other models (Section 3.4) Context-sensitive automata 
Process algebra Biichi automata 
Constraints Guarded automata 
Petri nets & intuitionistic logic Intentional automata 
Unifying theories of programming Action constraint automata 


Behavioral automata 
Structural operational semantics 


Table 1: Semantic formalisms for describing the behavior of Reo connectors. 


In recent years, many semantic formalisms for describing the behavior 
of Reo connectors have emerged, including coalgebraic models, operational 
models, and models based on graph-coloring. Table 1 shows a list of the 
classes of semantic models that currently (late 2011) exist for modeling Reo 
connectors. (We discuss the entries in this list in more detail in Section 3.) 
Although each of the classes in Table 1 serves its own purpose, we identify 
two burdens that their large quantity inflicts. 


Issue 1 (Tracking them). Because there exist so many different semantic 
formalisms by now, keeping track of all of them becomes nontrivial and 
requires a significant amount of effort. As a result, in more than one 
publication, authors forget to mention relevant related work at the appropriate 
places in their own contributions. Extrapolated to the extreme, this can cause 
papers to become “forgotten” and scientist to redo the work. 


Issue 2 (Relating them). Questions about how the various classes of models 
relate to each other in terms of their expressiveness naturally arise. These 
questions, moreover, require answering for two reasons. First, from a theo- 
retical point of view, such answers provide us with better and possibly new 
insights into the fundamentals of Reo. Second, from a more practical per- 
spective, such answers broaden the applicability of tools—both existing and 
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future—that assist developers in designing their connectors. 


In this paper, we provide a snapshot that offers a solution to Issue 1 and 
take a step towards answering the questions mentioned in Issue 2. 


Contributions We attribute two main contributions to this paper. In 
its first half, to resolve Issue 1, we provide a comprehensive overview of 
all existing classes of semantic models for describing the behavior of Reo 
connectors. Although our presentation remains mainly informal, a similarly 
detailed overview does, to our knowledge, not exist. 

In the second half of this paper, to take a step towards resolving Issue 2, 
we investigate the relation between two of the most important classes of 
semantic models of Reo connectors: (connector) coloring models (with two 
colors) [29] and constraint automata [17]. We show how to transform the 
former to the latter and demonstrate bisimilarity between an original and 
its transformation. In the opposite direction, we show how to transform 
constraint automata to equivalent coloring models, prove that these transfor- 
mations define each other’s inverse, and again show bisimilarity. Additionally, 
we prove the compositionality of our transformation operators. To ensure 
that our transformation operators map one-to-one (instead of many-to-one), 
we extend coloring models with data-awareness. 

A preliminary version of this paper, which excludes our comprehensive 
overview of semantic formalisms, appeared as [41]. 


Organization In Section 2, we give an informal description of Reo con- 
nectors; in Section 3, we provide an overview of semantic formalisms for 
describing their behavior. In Section 4, we extend coloring models with 
data-awareness. In Section 5, we discuss our transformation from coloring 
models to constraint automata; in Section 6, we discuss our transformation 
in the opposite direction. In Section 7, we discuss a potential application of 
our transformation operators. Section 8 concludes this paper. 


2 Reo Connectors 


A Reo connector consists of nodes (from the universe of nodes) through 
which data items (from the universe of data items) can flow. 


Definition 1 (Universe of nodes). NODE is the set of nodes. 
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Sync LossySync FIFO (Empty) FIFO (Full) 
o—————>0 (oe >O o—_{__ +> o——_i—-o. 
ny ne ny n2 ne n3 ne n3 


Figure 1: Pictorial representation of Sync, LossySync and FIFO. 


Definition 2 (Universe of data items). DATA is the finite set of data items. 


Within a connector, we distinguish three types of nodes: input nodes on 
which components can perform write operations for data items, internal 
nodes that a connector uses to internally route data items, and output nodes 
on which components can perform take operations for data items. We call 
input and output nodes collectively, the boundary nodes of a connector. 
Write and take operations, collectively called 1/0-operations, remain pending 
on a boundary node until they succeed, in which case the respective nodes fire. 
We call connectors without internal nodes, which form the most elementary 
mediums between components, primitives. 

Figure 1 shows pictorial representations of three common (binary) 
primitives. The Sync primitive consists of an input node and an output 
node. Data items flow through this primitive only if both its nodes have 
pending 1/O-operations. The LossySync primitive behaves similarly, but loses 
a data item if its input node has a pending write operation, while its output 
node has no pending take operation. We call LossySync a contezt-sensitive 
connector: depending on the presence or absence of pending 1/O-operations 
on its nodes, i.e., its context, LossySync behaves differently—LossySync must 
never lose a data item if its output node has a pending take operation.° 
Unfortunately, not all formalisms for modeling Reo connectors can describe 
context-sensitivity (at least, not directly); we address this topic in more 
detail in Section 3. 

In contrast to the previous two primitives, connectors can have buffers 
to store data items in. Such connectors exhibit different states, while the 
internal configuration of Sync and LossySync always stays the same. For 
instance, the FIFO primitive consists of an input node, an output node, 
and a buffer of size 1. In its Empty state, a write operation on the input 
node of FIFO causes a data item to flow into its buffer—this buffer becomes 
full—while a take operation on its output node remains pending. Conversely, 
in its Full state, a write operation on its input node remains pending, while 
a take operation on its output node causes a data item to flow from the 


*Bonsangue et al. formalize context-sensitivity in [20, 21]. 
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LossyFIFO (Empty) LossyFIFO (Full) 
ee ee >e—{_}->o Oise —— 
n1 na ng ny ne n3 


Figure 2: Pictorial representation of LossyFIFO. 


buffer to this output node—the buffer becomes empty. 

We interpret n,, ng, and ng in Figure 1 as variables over nodes in 
NODE: rather than depicting single connectors, this figure shows classes of 
connectors. For example, we can instantiate Sync by setting n1 to a concrete 
node A and ng to a concrete node B. In text, we distinguish instances 
from classes by explicitly specifying the set of nodes an instance consists of. 
For example, Sync(A, B) denotes a connector instance, while Sync denotes 
a connector class. However, if no confusion can arise, we write “connector 
Conn” rather than “instance of connector Conn” for brevity. 

We can construct complex connectors from simpler constituents by 
joining them. Informally, two connectors Conn, and Conng can join iff, for 
each of their common nodes, this node serves as an input node in Conn, and 
as an output node in Conn or vice versa.°® 

To illustrate joining, Figure 2 shows the pictorial representation of 
LossyFIFO, a connector composed of LossySync and FIFO. LossyFIFO consists 
of one input node, one internal node, and one output node. Similar to FIFO, 
LossyFIFO exhibits the states Empty and Full. Informally, in the Empty 
state, a write operation on the input node of LossyFIFO always causes a 
data item to flow into its buffer, while a take operation on its output node 
remains pending. In the Full state, a write operation on its input node 
always causes a data item to flow from its input node towards its buffer, but 
gets lost before reaching its internal node; a take operation on its output 
node causes a data item to flow from its buffer to this output node. 

We call connectors that arise from joining smaller connectors compos- 


®In this paper, we adopt the notion of nodes as introduced in [29]: at most two 
connectors can join on the same node. Alternatively [5], one can consider nodes entities on 
which an arbitrary number of connectors may coincide (rather than at most two). Under 
that interpretation, a node acts as a pumping station: at each execution step, it accepts a 
data item on one of its input connectors and replicates this data item to all its output 
connectors. Moreover, in that view, connectors can join on non-boundary nodes. We 
favor [29]-style nodes, however, because of their simplicity. This choice does not affect the 
generality of our results, because we can implement [5]-style nodes with [29]-style nodes 
by joining ternary primitives (Merger and Replicator) that emulate this pumping station 
behavior [29]. 
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ites. By hiding—another operation on connectors—the internal nodes of a 
composite Conn, abstracting these nodes from the definition of Conn such 
that the outside world cannot observe and interact with them anymore, we 
transform Conn to a primitive. 


3 Overview of Semantic Formalisms 


One can trace the history of Reo back to [3]: in that paper, Arbab informally 
introduces the basic concepts of Reo, while leaving a formalization of its 
semantics for future work. Indeed, as shown in Table 1, many formalization 
arose! In this section, we give an overview of these classes of models. We aim 
at comprehensiveness: to the best of our knowledge, we discuss all classes of 
semantic models that researches have developed in the context of Reo. 

While we skip most of the formal definitions, we consider two semantic 
formalisms in more detail: constraint automata in Section 3.2.1 and coloring 
models in Section 3.3. This has two reasons. First, these two classes 
influenced and formed the basis of many other classes of models as well as 
implemented tools. Thus, these formalisms have played a crucial role in the 
research on the semantics of Reo. Second, in the subsequent sections of this 
paper, we prove the correspondence between these two classes, for which we 
need their formal definitions. 

We continue this section as follows (see also Table 1). First, in Sec- 
tion 3.1, we discuss two classes of coalgebraic models. Second, in Section 3.2, 
we summarize operational models of Reo connectors. Third, in Section 3.3, 
we treat coloring models. Finally, in Section 3.4, we discuss those models 
that do not fit the previous three categories. 


3.1 Coalgebraic Models 


In the literature, we find two classes of coalgebraic models for describing the 
behavior of Reo connectors: those based on timed data streams (TDS) and 
those based on record streams (RS). In both these classes, the coalgebraic 
notion of streams plays a prominent role. Informally, a stream s over a set 
S denotes an infinite sequence of elements from S. We denote the set of 
all the streams over S by SY. More formally, we define streams over S as 
total functions from the natural numbers to elements in S, i.e., s € SY” IFF 
s:N-S. We refer to the i-th element in a stream s with the notation s(7). 
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Timed data streams In [4, 5, 14, 62], Arbab and Rutten introduce 
TDS models as the first formalization of the semantics of Reo connectors. 
Informally, a TDS model of a connector describes for each of its nodes which 
and when—in dense time—data items flow through this node. It does so 
by associating each node with a timed data stream (TDS). We define a TDS 
as a pair of two streams over two different sets: a data stream d over DATA 
(the data domain; see Definition 2) and a monotonically increasing time 
stream t over Ryo (the positive real numbers including zero). Informally, a 
TDS of a node n conveys that data item d(z) passes through n at time t(?). 
By associating each node of a connector Conn with its own TDS in a TDS 
tuple, thus, we describe a single execution of Conn. To describe all possible 
executions of Conn, we associate Conn with a set of TDS tuples; we call such 
a set the TDS model of Conn. Commonly, however, we define such a TDS 
model as a predicate on TDSs that induces the set of admissible TDs tuples of 
Conn. (Enumerating all admissible TDs tuples of Conn becomes impossible 
because, not only each stream in a TDS itself is infinite, the set of admissible 
TDS tuples usually contains infinitely many elements.) 


Record streams’ The second class of coalgebraic models of Reo connectors 
contains models that, to describe a single execution of a connector Conn, 
associate Conn with a single stream of records (cf., TDS models associate 
each node of Conn with a pair of streams). Izadi et al. introduce RS models 
in [38, 40]. Informally, records describe single execution steps of a connector: 
a record associates the nodes through which a data item flows (in the 
execution step it models) with those data items. 


Definition 3 (Record [40]). A record r is a partial function r : NODE — 
ATA that maps a node n to a data item r(n). We denote the set of all 
records by RECORD. 


A record steam (RS) rs denotes a stream over the set RECORD. If the domain 
of every record in an RS rs includes only nodes from a connector Conn, rs 
potentially describes a single execution of Conn (cf., a TDS tuple): if so, 
record rs(z) describes which data items flow through which nodes at an 
abstract time instant 7. To describe all executions of a connector Conn, we 
associate Conn with a set of RSs, which we call its RS model. 

Compared to TDS models, RS models differ in their disregarding of the 
exact arrival times of data items at nodes: RS models capture only the order 
in which data items arrive. In [88, 40], Izadi et al. also define an operator 
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for transforming TDS tuples to RSs and an operator for transforming RSs to 
TDS tuples. Furthermore, Izadi et al. assert that the latter operator forms 
the inverse of the former operator (but not vice versa). 


3.2. Operational Models 


Although stream-based models provide an intuitive way of thinking about 
flow through nodes, they turned out difficult to derive implementations 
from and analyze (e.g., by means of model checking). To remedy this, 
researchers looked for other types of models for describing the behavior of 
Reo connectors, including operational models. In fact, many such classes of 
operational models came to existence, e.g., (numerous variants of) constraint 
automata, various automata for describing context-sensitive connectors, and 
a structural operational semantics. 


3.2.1 Constraint automata 


In [10, 17], Baier et al. introduce the first class of operational models for 
describing the behavior of Reo connectors: constraint automata (CA). Similar 
to how ordinary automata accept strings, CA accept TDS-tuples. 

Informally, a CA consists of a (possibly singleton) set of states, which 
correspond one-to-one to the states of the connector whose behavior it models, 
and a set of transitions between them; in contrast to ordinary automata, 
however, CA do not have accepting states.’ A transition of a CA, which 
describes a single execution step, carries a label that consists of two elements: 
a set of nodes and a data constraint. The former, called a firing set, describes 
which nodes synchronously fire in the state the transition leaves from; the 
latter specifies the conditions that the data items that flow through these 
firing nodes must satisfy. 


Definition 4 (Universe of data constraints [17]). Dc(N) with N C NoDE 
is the set of data constraints such that each dc € Dc(N) complies with the 
following grammar: 


dc ::= de \ dc| adc| T | #n =d with n € N and d€ DATA. 


bY 


Informally, ##n means “the data item that flows through n,” while A, =, and 
T have their usual meaning. We also allow their derived Boolean operators 


"Because Ca do not have accepting states, CA have only accepting runs of infinite length 
(similar to w-automata [63]). This property makes CA suitable for accepting TDS-tuples 
(because every TDS in such a tuple has an infinite length). 
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ial 7 #ni = #n2 aT : dm = #n2 ne sO SO a 
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Sync LSync FIFO-E FIFO=F 


Figure 3: CA of Sync, LossySync, and FIFO for DATA = { “foo” }. 


as syntactic sugar, e.g., V, and adopt #n1 = #ng2 (with n1,n2 € NODE) as 
an abbreviation of V gepara (#21 = dA #2 = d). Below, we define Ca. 


Definition 5 (Constraint automaton [17]). A constraint automaton CA over 
[N C NopbE,DC C Dc(N)] is a triple (Q,T,qo) with Q a set of states, 
TC Qx @(N) x DC x Q a transition relation such that (q, F,dc,q’) € T 
implies dc € Dc(F), and qo € Q an initial state. 


The condition “(q, F,dc,q’) € T implies dc € Dc(F)” asserts that a data 
constraint cannot constrain data through nodes that do not fire. Henceforth, 
we consider only CA whose transition relations satisfy the following condition: 


(q, Fi, dei, q), (q, F2, de2, q) = T and qi # % implies (Fi, dcz) # (F2, dc2) 


This condition ensures that we can cast transition relations into transition 
functions,® and it comes without loss of generality.? 

To illustrate Definition 5, Figure 3 shows the CA of Sync, LossySync, 
and FIFO. For simplicity, we assume the universe of data items a singleton 
with the string “foo” as its sole element. In general, the CA of FIFO contains 
a distinct state for each data item in DATA that may occupy its buffer. Note 
that rather than naming states symbolically (e.g., ¢,p,qo0,@1,---), we name 
states by meaningful indexes (below the states in font).!0 


8Qne may call CA satisfying this condition “syntactically deterministic.” This “syntactic 
determinism,” however, differs from determinism as originally defined for CA [17]: the latter 
takes into account logical equivalence between data constraints in transitions leaving the 
same state (instead of syntactic equivalence). This yields a stronger form of determinism. 
Thus, every “logically deterministic” CA is a “syntactically deterministic” CA. Conversely, 
every “syntactically nondeterministic” CA is a “logically nondeterministic” CA. 

°For every “logically nondeterministic” CA, there exists a language-equivalent “logically 
deterministic” CA [17]. Consequently, for every “syntactically nondeterministic” CA, there 
exists a “syntactically deterministic” CA that models the behavior of the same connector 
(at the level of granularity of language equivalence). 

'°More precisely, Figure 3 shows classes of CA similar to how Figure 1 shows the pictorial 
representations of classes of connectors. An instance of a CA from Figure 3 contains actual 
nodes instead of the variables n; and nz. Moreover, the indexes in such an instance convey 
which nodes this instance contains, e.g., Sync(A, B). 
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Definition 6 (Universe of indexes). INDEX is the set of indezes. 


Henceforth, without loss of generality, we assume Q C INDEX for all CA 
(Q, T,qo). Finally, unlike the original publications on CA (but similar to 
many later papers), we model the possibility of connectors to idle explicitly 
with the inclusion of self-transitions labeled by (0, T).1! This simplifies the 
definition of the join operator for CA, below. 

When we join two connectors Conn; and Conng with CA as their behav- 
ioral model, we can compute the CA of the resulting composite by joining the 
CA of Conn; and Conng: the join operator for CA takes the Cartesian product 
of the sets of states of its arguments, designates the pair of their initial states 
as the initial state of the new CA, and determines a new transition relation. 


Definition 7 (Join of CA [17]). Let CA, = (Qy, T1, qj) and CA2 = (Qo, Ta, @) 
be CA over [Ni, DC\] and [N2, DC2]. Their join, denoted by CA, 1 CAg, is a 
CA over [N, U No, DC; A DC2|"” defined as: 


CA, Dd CAg = (Qy x Qo, i (a0; %6)) 


(M15 92) 5 (a, F1,de1, q4) eh 
with: T= (5 U Fo, dc, A dco : and (q2, Fo, dca, q5) E To. 

(G4 +9) and FLAN No = Fon N 
The condition Fy 1 Ng = Fo N, in the previous definition asserts the 
following: if transitions in CA; and CAg form a new transition in CA; ™ CAg, 
those transitions agree on the firing of the common nodes of CA; and CAg. 
Furthermore, we remark that because CA abstract from the direction of flow, 
Definition 7 does not take into account the prerequisite in Section 2 that 
“connectors Conn, and Conng can join iff, for each of their common nodes, 
this node serves as an input node in Conn, and as an output node in Conng 
or vice versa.” 

To illustrate Definition 7, Figure 4 shows the CA of LossyFIFO, ob- 
tained by joining the CA of LossySync and FIFO (see Figure 3). Note that 
this CA does not model the intended semantics of LossyFIFO: its transi- 
tion (LFIFO-E, {n;}, T, LFIFO-E) describes the inadmissible loss of data in 
the case of an empty buffer. This example shows that CA cannot model 
context-sensitive connectors directly; in Section 3.2.3, we discuss operational 
formalisms that can. 


" Generally, transitions labeled by (0, T) serve as T-transitions, and they can occur also 
between two different states. 
Henceforth, we write DC, A DC for {dei A dez| de, € DC, and deg € DC? }. 
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{ni,n3}, ##n3 = “foo” 


LFIFO-E {ma,na}, LFIFO-F 


Figure 4: CA of LossyFIFO for DATA = {“foo”}. Let LFIFO-E denote 
(LSync, FIFO-E), and let LFIFO-F denote (LSync, FIFO-F). 


For more examples of CA, including nondeterministic CA, we refer 
to [10, 17]. Additionally, in [10, 17], Baier et al. define (bi)simulation for CA, 
they present the hide operators for CA, and they prove the compositionality 
of these operators under (bi)simulation. Furthermore, in [25, 26], Clarke 
introduces the forget operator for CA to model reconfiguration of connectors. 


3.2.2 Variants of CA 


Several variations on ordinary CA came to existence in the past five years. 
We start with three less intricate variants. 


Port automata In [45], Koehler and Clarke introduce port automata (PA) 
by abstracting data constraints from CA. This means that a transition 
of a PA carries only a firing set (or, equivalently, a firing set and T).!° 


CA with state memory In [60], Pourvatan et al. introduce CA with state 
memory (CASM) by extending CA with a construct that enables data 
constraints to refer to the values of memory cells (e.g., the buffers 
of instances of FIFO). More formally, Pourvatan et al. associate a 
CASM not only with the usual ingredients of CA, but also with a set 
of memory cells and a value function. This latter function maps, for 
each state, memory cells to data items. Furthermore, Pourvatan et al. 
extend the syntax and semantics of data constraints with constructs 
for the formulation of propositions over memory cells. 


Labeled cA_ In [44], Kliippelholz and Baier introduce labeled CA. In addi- 
tion to the usual ingredients of CA, Kltippelholz and Baier associate 
each labeled CA with a set of propositions and a labeling function that 
maps each state to those propositions that hold in it. 


'3Tn fact, if |DATA| = 1, there exists a language equivalent PA for every CA. 
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We proceed with six more complex extensions: timed CA, probabilistic 
CA, continuous-time CA, quantitative CA, resource-sensitive timed CA, and 
transactional CA. 


Timed ca_ In [8, 9], Arbab et al. introduce timed CA (TCA) for describing 
the behavior of time-dependent connectors, e.g., a variant of FIFO that loses 
a data item in its buffer after three time units. 

In addition to the usual ingredients of CA, Arbab et al. include a set of 
clocks in each TCA: special variables used to register and evaluate constraints 
about the passage of time (cf., clocks in timed automata [2]). Similar to 
ordinary CA, the states of a TCA correspond one-to-one to the internal states 
of the connector it models. However, Arbab et al. associate each of those 
states also with a clock constraint, which asserts a condition on the values of 
the available clocks. Only as long as the clock constraint of a state holds, 
the TCA can remain in that state; otherwise, it must make a transition. The 
label on a transition in a TCA consists not only of a firing set and a data 
constraint, but also of a clock constraint cc and a reset set Reset. Informally, 
a transition (q, F’, dc, cc, Reset, q’) in a TCA describes an execution step of 
a connector in a state g before which the clock constraint cc holds and 
wherein data items that satisfy dc flow through the nodes in F, bringing the 
connector in the successor state q’ after resetting the clocks in Reset. 

In [8, 9], Arbab et al. also define the join and hide operators for TCA 
and assert their compositionality under language equivalence. 


Probabilistic cA In [15], Baier introduces probabilistic CA (PCA) for de- 
scribing the behavior of probabilistic connectors, e.g., a probabilistic variant 
of LossySync or a randomized Sync.!4 

Similar to ordinary CA, the states of a PCA correspond one-to-one to the 
internal states of the connector it models. The transition relation of a PCA, 
however, contains pairs that consist of: a state and a (discrete) probability 
distribution II: o(N) x RECORD x Q — {0, 1] over firing sets, records,!° and 
states. Informally, a transition (q, II) in a PCA describes an execution step 
of a connector in a state g wherein, with a probability II(F,r, q’), data items 
flow through the nodes in F according to r, bringing the connector in the 


‘A randomized Sync transforms data items flowing through its input node to other 
data items according to some probability distribution. See Example 4 in [15]. 

Tn [15] (and in other papers on CA and its variants), Baier calls records data assignments. 
Here, we use the terminology and notation of records for uniformity. 


Overview of Thirty Semantic Formalisms for Reo 213 


successor state q’. In the same paper, Baier introduces an abstraction of 
PCA, called simple probabilistic CA (SPCA), whose transition relation contains 
quadruples that consist of: a state, a firing set, a data constraint, and a 
probability distribution 7 : Q — [0,1] over states. Informally, a transition 
(q, F, dc, 7) in an SPCA describes an execution step of a connector in a state 
q wherein data items that satisfy dc flow through the nodes in F, bringing 
the connector in the successor state q’ with probability 7(q). Thus, PCA 
allow for a finer definition of the probability distribution than SPCA. 


In [15], Baier also shows that one can transform any CA to an equivalent 
SPCA, and every SPCA to an equivalent PCA (and therefore, every CA to 
an equivalent PCA). Moreover, Baier defines the join and hide operators 
for SPCA and PCA, she defines bisimulation for PCA, and she asserts the 
compositionality of the join and hide operators for PCA under bisimulation. 


Continuous-time CA In [18], Baier and Wolf introduce continuous-time 
CA (CCA) for describing both the behavior of connectors and their time- 
dependent stochastic assumptions, e.g., the stochastic waiting time of pending 
1/O-operations. This extension of CA enables a formal analysis of the per- 
formance of connectors. Although both TCA and CCA incorporate a notion 
of time, TCA model functional temporal aspects of connectors, while CCA 
model (some of) their non-functional temporal stochastic properties. 


Similar to ordinary CA, the states of a CCA correspond one-to-one to 
the internal states of the connector it models. The transition relation of a 
CCA, however, has two partitions: one with ordinary CA transitions, called 
interactive transitions in the context of CCA, and a partition with Markovian 
transitions. This latter partition contains triples that consist of: a state 
q, a rate X, and a successor state q’. The rate, a positive real number, 
denotes the rate parameter of an exponential distribution over time (as in 
continuous-time Markov chains). Informally, a Markovian transition (q, , q’) 
in a CCA describes the occurrence of a delay—whatever the source—of t or 
less time units in state g with probability 1 — e~**. A Markovian transition 
can fire only in the absence of enabled interactive transitions. 


In [18], Baier and Wolf also define the join and hide operators for 
ccA. Moreover, Baier and Wolf define three variants of bisimulation for 
CCA—strong, weak, and very weak—and they assert the compositionality of 
the join and hide operators for CCA under strong and weak bisimulation. 
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Quantitative cA In [12, 53], Arbab et al. introduce quantitative CA (QCA) 
for describing both the behavior of connectors and the quality of service (Qos) 
guarantees they provide, e.g., reliability or shortest transmission time. From 
a conceptual perspective, QCA differ from TCA and PCA, because these latter 
two classes of models describe functional aspects of connectors, while Qos 
guarantees belong to the class of non-functional properties. The difference 
between QCA and CCA seems more subtle. On the one hand, QCA generalize 
CCA, because QCA can describe not only information about delays, but also 
about, e.g., reliability. On the other hand, CCA describe stochastic delays, 
which QCA seem unable to do.'® Thus, the sets of connectors whose Qos 
guarantees QCA and CCA can describe overlap, but seem not coincident. 

Similar to CA, the states of a QCA correspond one-to-one to the internal 
states of the connector it models. The label on a transition in a QCA, 
however, consists not only of a firing set and a data constraint, but also 
of a cost that represents a QoS metric (e.g., reliability). Informally, a 
transition (q, F,dc,c,q’) in a QCA describes an execution step of a connector 
in state g wherein data items that satisfy dc flow through the nodes in F, 
bringing the connector in the successor state q’, while providing the Qos 
guarantees described by c. Formally, a cost c comes from the domain of a 
Q-algebra—an algebraic structure, introduced by Chothia and Kleijn in [24], 
for the compositional description of QoS properties. 

In [12], Arbab et al. also define the join and hide operators for QCA. 
Moreover, Arbab et al. define four types of simulation for QcA—strong, weak, 
and (weak) quality improving—and they prove the compositionality of the 
join and hide operators for QCA under strong, weak, and quality improving 
simulation. One can use quality improving simulations to analyze, e.g., if an 
implementation of a connector provides a higher Qos than its specification. 


Resource-sensitive timed CA Concurrently with QCA, in [51], Sun Meng 
and Arbab introduce resource-sensitive timed CA (RSTCA) for describing the 
behavior of time-dependent resource-sensitive connectors, e.g., a connector 
that requires a sufficiently large bandwidth and that times out if this resource 
remains unavailable during some interval. The class of RSTCA differs from 
the class of CCA, because CCA incorporate a stochastic notion of the passage 
of time, while RSTCA incorporate crisp values. Compared to TCA, RSTCA 
seem more restrictive in the sense that an RSTCA does not feature explicit 


'®To show that QCA can describe stochastic delays, one must show how to encode 
continuous probability distributions as Q-algebras [24]. 
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clocks: instead, each state g and each transition t in an RSTCA has its own 
implicit clock, which this RSTCA resets to 0 once it reaches q or fires t. 

In addition to the usual ingredients of CA, Sun Meng and Arbab include 
a set of resources in each RSTCA: special variables used to register information 
and evaluate constraints about resources (e.g., available bandwidth). Similar 
to ordinary CA, the states of an RSTCA correspond one-to-one to the internal 
states of the connector it models. The transition relation of an RSTCA, 
however, has two partitions: one with interactive transitions (different from 
the interactive transitions in CCA) and another with timeout transitions. 

The former partition contains transitions with a label that consists not 
only of a firing set and a data constraint, but also of a resource constraint rc 
and a duration function df. Resource constraints assert a condition about the 
required resources, while duration functions map resources to those times at 
which a connector must have finished using them. Informally, an interactive 
transition (q, F,dc,rc, df,q’) in an RSTCA describes an execution step of a 
connector in state gq wherein data items that satisfy dc flow through the 
nodes in F, while utilizing a set of resources R that satisfy rc, bringing the 
connector in the successor state q’ within time df(R). 

The partition with timeout transitions contains triples that consist of: a 
state q, a timeout t, and a successor state g’. Informally, a timeout transition 
(q,t,q') describes an execution step of a connector in state q wherein it 
transits to the successor state q’, if no interactive transitions could fire for t 
time units. Timeout transitions in QCA resemble Markovian transitions in 
CCA, but carry a crisp maximum value rather than a stochastic parameter. 

In [51], Sun Meng and Arbab also define the join and hide operators 
for RSTCA. Moreover, Sun Meng and Arbab define two types of simulation 
for RSTCA—functional and strong—and prove the compositionality of the 
join and hide operators for RSTCA under strong simulation. 


Transactional cA In [54], Sun Meng and Arbab introduce transactional 
CA (TNCA) for describing the behavior of connectors whose execution in- 
volves long-running transactions. Such transactions often provide weaker 
guarantees than the traditional ACID guarantees for transactions [36] (atom- 
icity, consistency, isolation, durability): for instance, because data involved 
in long-running transactions is not locked, such transactions typically lack 
isolation. Long-running transactions occur in service-oriented architectures, 
thus when using Reo in this application domain, support for long-running 
transactions becomes important. 
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Similar to CA, the states of a TNCA correspond one-to-one to the 
internal states of the connector it models. The label on a transition in 
a TNCA, however, consists of a set of nodes and either a data constraint or a 
transaction w. In the former case, we obtain a transition as in ordinary CA, 
called an atomic transition in the context of TNCA, and we interpret the set of 
nodes this transition carries as a firing set. In the latter case, in contrast, we 
have a transaction transition. Informally, a transaction transition (q, F, w, q’) 
in a TNCA describes an execution step of a connector in state gq wherein 
the nodes in F (commit to) participate in the transaction w, bringing the 
connector in the successor state q’. As transactions themselves typically 
involve interactions and coordination among multiple parties, Sun Meng and 
Arbab model transactions as Reo connectors. 

In [54], Sun Meng and Arbab also define the join operator for TNCA. 


3.2.3. Context-Sensitive Automata 


As mentioned during our discussion of LossyFIFO in Section 3.2.1, there 
exists a significant class of connectors whose behavior CA cannot describe 
satisfactorily: context-sensitive connectors.!’ We recall that the behavior of 
a context-sensitive connector depends not only on its own internal state, but 
also on the presence or absence of pending 1/O-operations on its boundary 
nodes, e.g., a LossySync should lose a data item only if it has no pending 
take operation on its output node. Unfortunately, CA can directly model 
only a nondeterministic approximation of LossySync (as in Figure 3). Below, 
we discuss other classes of automaton-based models that can describe the 
behavior of context-sensitive connectors. 


Biichi automata In [38, 40], Izadi et al. propose to use Biichi automata 
of records (BAR), i.e., automata on infinite words [63] over records (see 
Definition 3), for describing the behavior of connectors. Similar to how CA 
accept TDSs, BAR accept RSs, i.e., record streams. Moreover, the states of a 
BAR (in its simple form) correspond one-to-one to the internal states of the 
connector Conn it models, while its transitions, each labeled with a record, 
describe the execution steps of Conn. Because BAR feature (sets of) accepting 
states, called (generalized) acceptance conditions, BAR can model connectors 
with fairness constraints (e.g., if a node can fire from some instant onwards, 
it eventually does so), whose behavior CA cannot describe. 


Later in this paper, however, we demonstrate that CA actually can describe the 
behavior of context-sensitive connectors. 
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For describing the behavior of context-sensitive connectors, in [39, 40], 
Izadi et al. introduce augmented BAR (ABAR), whose states do no longer 
correspond one-to-one to the internal states of connectors, but many-to-one: 
each state of an ABAR does not only represent the internal state of the 
connector Conn it models, but also registers information about the presence 
or absence of I/O0-operations on the nodes in Conn. While BAR accept infinite 
sequences of records, i.e., RSS, ABAR accept alternating infinite sequences of 
(i) sets of nodes that have pending I/0-operations, and (ii) records, describing 
what data items actually flow through which of those nodes. 

In [38, 40], Izadi et al. also define the join and hide operators for BAR 
(the join operator for BAR differs from the usual product operator for Biichi 
automata). Moreover, Izadi et al. define an operator for transforming an 
arbitrary CA to a BAR and prove its compositionality (in [40]). Similarly, 
in [39, 40], Izadi et al. define the join and hide operators for ABAR. 


Guarded automata In [20, 21], Bonsangue et al. define guarded automata 
(GA) for describing the behavior of (context-sensitive) connectors.!® Similar 
to Izadi’s ABAR, GA accept alternating infinite sequences of guards and firing 
sets. We can consider these guards generalizations of the sets of nodes that 
appear in the infinite words that ABAR accept—guards assert a condition 
about the presence or absence of 1/O-operations on nodes—while we can 
consider these firing sets abstractions of the records that appear in the words 
that ABAR accept (because firing sets exclude information about data). 

Similar to CA, but in contrast to ABAR, the states of a GA correspond 
one-to-one to the internal states of the connector it models: information 
about the presence or absence of 1/O-operations does not appear in the 
states of a GA (as in ABAR), but as guards on its transitions. Transitions 
additionally carry a firing set, i.e., the nodes through which a data item 
flows if the corresponding guard holds and the transition fires. Unlike ABAR, 
GA do not have accepting states. 

In [20, 21], Bonsangue et al. also define the join operator for GA 
(although indirectly, i.e., in terms of two other operators, namely product 
and synchronization). Moreover, Bonsangue et al. define bisimulation for 
GA, and assert the compositionality of the join operator under bisimulation. 
Also, in [20], Bonsangue et al. cast port automata (PA—see Section 3.2.2) 
and CA into GA, which yields context-sensitive variants of PA and CA. 


'®Bonsangue et al. use also the name Reo automata in [20, 21], but because Costa uses 
this name to refer to a different class of automata in [33], we write GA to avoid confusion. 
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In [56, 57], Moon et al. extend ordinary GA to stochastic GA (SGA) by 
(i) associating each node with an arrival rate that describes, stochastically, 
the rate at which 1/O-operations arrive, and (ii) associating each transition 
t with information about the stochastic delay of flow through the nodes that 
participate in t (similar to the rate on a Markovian transition in a CCA). 
In [56, 57], Moon et al. also define the join operator for SGA (indirectly in 
terms of product and synchronization). 


Intentional automata In [33], Costa introduces intentional automata 
(1A) for describing the behavior of (context-sensitive) connectors.!® 

Similar to Izadi’s ABAR, the states of an IA correspond many-to-one 
to the internal states of the connector it models: each state of an IA not 
only captures such an internal state, but also registers the presence of I/O- 
operations. The classes of ABAR and IA differ, however, in the type of 
labels their transitions carry: in ABAR, transitions carry records, while in 
IA, transitions carry pairs that each consist of a firing set and another set 
of nodes. Such a second set of nodes on a transition t contains those nodes 
on which an I/O-operation becomes pending during the execution step t 
describes. Similar to GA, but unlike ABAR, IA do not have accepting states. 

In [33], Costa also defines the join and hide operators for 14. Moreover, 
Costa defines (weak) bisimulation for IA, and proves the compositionality of 
the join and hide operators for [A under weak bisimulation. 

In [13], Arbab et al. extend ordinary IA to quantitative IA (QIA) by 
extending the labels on transitions in ordinary IA with (i) a data constraint 
(as in CA) and (ii) information about the stochastic delay and arrival rates of 
1/O-operations and data items on the nodes that participate in a transition. 
In [13], Arbab et al. also define the join operator for QIA (although indirectly, 
i.e., in terms of two other operators, namely product and refinement). 


Action cA In [46], Kokash et al. introduce action CA (ACA) for describing 
the behavior of (context-sensitive) connectors and their temporal Qos prop- 
erties without incorporating an explicit notion of time. Instead, Kokash et 
al. model delays through the successive execution of distinct actions such as 
“block node n” and “unblock node n.” Thus, despite their name, ACA differ 
significantly from ordinary CA and other CA-based models for describing the 
temporal QoS aspects of connectors (i.e., CCA, QCA, and RSTCA). 


Costa uses also the name Reo automata in [33], but because Bonsangue et al. use this 
name to refer to a different class of automata in [20, 21], we write IA to avoid confusion. 
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Similar to Izadi’s ABAR and Costa’s IA, the states of an ACA correspond 
many-to-one to the internal states of the connector it models and, among 
other information, can register the presence or absence of I/O-operations. 
The transition relation of an ACA contains quadruples that consist of: a 
state, a set of actions over a set of nodes N, a data constraint (as in ordinary 
CA), and a successor state. An action in the set of actions that a transition t 
carries denotes an operation (e.g., blocking/unblocking nodes from accepting 
1/O-operations or starting/stopping the propagation of data between nodes) 
that a connector performs in the execution step t describes. In the subclass 
of ACA wherein each action has the form “propagate a data item through 
node n,” sets of actions reduce to firing sets, and ACA simplify to CA. 

In [46], Kokash et al. also define the join and hide operators for ACA. 
Moreover, Kokash et al. encode the ACA of seven primitives into the process 
algebra mCRL2. Shortly, in Section 3.4, we discuss mCRL2 models for Reo 
connectors in more detail. 


Behavioral automata In [61], Proenga introduces behavioral automata 
(BA) for modeling the behavior of connectors in a step-wise manner. Proenca 
uses BA in [61] as the basis for an implementation of Reo and to justify the as- 
sumptions that underlie his Dreams framework, a distributed implementation 
of Reo. Because BA can embed other classes of semantic models—including 
GA—BA can describe the behavior of context-sensitive connectors. 

Similar to CA and GA, the states of a BA correspond one-to-one to the 
internal states of the connector it models. 

The transitions of a BA carry abstract labels, which map to quintuples 
(N, F,I,O,data) that describe atomic execution steps of a connector. In 
such a quintuple, N denotes a set of nodes, FC N denotes a firing set, J C F 
and O C F denote the input and output nodes involved, and data denotes a 
function from J UO to Data. Depending on the specific instantiation of a 
BA (Proenga instantiates BA, among other classes of models, for CA and GA 
in [61]), some components in these quintuples remain unused. For instance, 
in the instantiation for GA, J = O = data = 9. 

Furthermore, Proenca associates each state of a BA with a concurrency 
predicate. Essentially, a concurrency predicate in a BA BA for a state q 
describes a set of transitions in a BA different from BA that can execute 
concurrently while BA remains in g. More formally, a concurrency predicate 
C for a state q (in BA) denotes a set of labels such that | € C implies that 
transitions (outside BA) labeled by / can execute concurrently. 
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In [61], Proenga also defines the join operator for BA. 


3.2.4 Structural Operational Semantics 


Finally, in [58], Mousavi et al. formalize the semantics of (some of the 
primitives in) Reo with a structural operational semantics (SOs) in Plotkin’s 
style [59]. For each primitive,?? Mousavi et al. define a set of transition 
rules that induce a transition system. The states in this transition system 
consist of pairs (Sys,Val) with Sys a Reo system term (RST) and Val a 
function that maps nodes to (possibly infinite) sequences of data items. 
An RST describes the structure of a Reo connector Conn, including the 
specific primitives that Conn consists of, while the sequences of data items 
to which Val maps a node n represent those data items that in some instant 
already have arrived at n. Supplemented with the maximal progress assertion 
of Khosravi et al. in [43], the Sos semantics can model context-sensitive 
connectors. 

In [58], Mousavi et al. also define special transition rules for joining 
two connectors—these rules correspond to the join operators defined for 
other classes of semantic models of Reo connectors. Moreover, Mousavi et al. 
define (bi)simulation for the transition systems that their transition rules 
induce. 


3.3. Coloring Models 


We proceed with a third kind of semantic formalisms: (connector) coloring 
models (CM), introduced by Clarke et al. in [28, 29] and later extended by 
Costa in [33]. Coloring models work by marking the nodes of a connector 
with colors that specify whether data items flow through these nodes or 
not. Depending on the number of colors, different models with different 
levels of expressiveness arise. In Section 3.3.1, we discuss CMs with three 
colors. For now, we assume a total of two colors, which yields 2-coloring 
models (2CM): the flow color (data items can flow through the nodes 
it marks) and the no-flow color ---- (data items cannot flow through the 
nodes it marks). 


Definition 8 (Colors [29]). CoLoR = { ——, ---- } is a set of colors. 


To describe an execution step of a connector, CMs consist of colorings: 
maps from a set of nodes to a set of colors, which assign to each node in the 


20Including Sync, LossySync, and FIFO. 
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set a color that indicates whether this node fires (or not) in the execution 
step the coloring describes. We collect all such possible execution steps of a 
connector in sets of colorings, called coloring tables. 


Definition 9 (Coloring [29]). A coloring c over N C NODE is a function 
c: N-— CoLor that maps a node n to a color c(n). We denote the set of 
all colorings over N by Cou(N). 


Definition 10 (Coloring table [29]). A coloring table T over N C NODE is 
a set TC CoL(N) of colorings over N. 


To accommodate connectors that exhibit different behavior in different states 
(e.g., connectors with buffers), CMs feature coloring table maps (CTM): maps 
from a set of indexes (representing the states of a connector as in CA; see 
Definition 6) to a set of coloring tables (describing the admissible execution 
steps in these states).2! To model the change of state a connector incurs 
when (some of) its nodes fire, CMs feature nezt functions. The next function 
of a connector maps an index 7 in the domain I of a CTM S and a coloring in 
the coloring table to which S maps 7 to an index in I (possibly the same 7). 


Definition 11 (CT [33]). A crTm S over [N C NobE,I C INDEX] is a 
function S: I- @(CoL(N)) that maps an index i to a coloring table S(i) 
over N. 


Definition 12 (Next function [33]). Let S be a cTM over [N,]I]. A neat 
function n over S is a partial function I x CoL(N) — I that maps every 
[index, coloring/-pair (i,c) such that c € S(i) to an index n(i,c). 


Finally, we define the CM of a connector Conn as a pair that consists of a 
next function (describing the behavior of Conn) and an index (representing 
its initial state). 


Definition 13 (Cm). Let S be acTM over [N, I]. A CM CM over S is a pair 
CM = (7, %9) with n a next function over S and io € I. 


To illustrate the previous definitions, Figure 5 shows the 2CMs of Sync, 
LossySync, and FIFO, whose structures we depicted in Figure 1. 

When we join two connectors Conn; and Conng with CMs as their 
behavioral model, we can compute the cm of the resulting composite by 
joining the CMs of Conn; and Conng. We describe this joining process in a 


21Tn [33], Costa calls CTMs indexed sets of coloring tables. 
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o———————>0 (oe >o o—{___} —>o o—_{i—-o 
ny ne ny ne n2 N3 n2 n3 
C1 C1 co ———----- cg ----- — 
C4 ---------- co ——----- C4 ---------- C4 ---------- 
C4 ---------- 
Sync +> LSync +> FIFO-E ++ {c2,c4}, 
S= s= S= 
{c1, ca} {c1, C2, ca} FIFO-F +> {c3, ca} 
7 = “identity” n = “identity” (FIFO-E, cy) +> FIFO-F , 
sens Raney hes (FIFO-E, cy) ++ FIFO-E , 
(FIFO-F,c3) +> FIFO-E , 
(FIFO-F, cy) ++ FIFO-F 
ig = FIFO-E 


Figure 5: Colorings, CTMs, and next functions of Sync, LossySync and FIFO. 


bottom-up fashion. First, to join two compatible colorings—colorings that 
assign the same colors to their common nodes—we merge the domains of 
these colorings and map each node n in the resulting set to the color that 
one of the colorings assigns to n. The join of two coloring tables comprises 
the computation of a new coloring table that contains the pairwise joins of 
the compatible colorings in the two individual coloring tables. 


Definition 14 (Join of colorings [29]). Let cy and cg be colorings over Ni 
and No such that ci(n) =ce(n) for alln € Ni M No. Their join, denoted by 
cy Uco, is a coloring over Ny U No defined as: 


neEN,UNs and k= ee ine \ 


cqpU@Q={(ntk : 
paren { co(n) otherwise 


Definition 15 (Join of coloring tables [29]). Let T, and Tz be coloring 
tables over N, and No. Their join, denoted by T; - Tz, is a coloring table 
over N; U No defined as: 


T T= {aves 


cy € Ty and co € To and 
c1(n) — C2(n) for alln EN, ONg f° 


The join of two CTMs comprises the computation of a new CTM that maps 
each pair of indexes in the Cartesian product of the domains of the two 
individual CTMs to the join of the coloring tables to which these CTMs map 
the indexes in the pair. We define the join of two next functions in terms of 
the Cartesian product, the join of colorings, and the join of CTMs. 
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LossyFIFO (Empty) LossyFIFO (Full) 
Ginianceess >e—{__ }->o Gihiseeesaens >«—_ Io 
ny ng n3 ny ng n3 
re C23, See —— 
C04) <= Sie eis C24 -<$—$<—re ihe eee 
Ci, -sSoReStSoa eases eSs C43, sas eeeSaeeasee a 
C44 -------------------- 


S= {LFIFO-E ied {ci2, Coa, ca4} , LFIFO-F +> {co3, C24, C43, cast} 
(LFIFO-E, ¢12) +> LFIFO-F , (LFIFO-F, c93) ++ LFIFO-E , 
__ J (LFIFO-E, co4) ++ LFIFO-E , (LFIFO-F, co4) ++ LFIFO-F, 

| =) (LFIFO-E, cy4) + LFIFO-E , (LFIFO-F,c43) +> LFIFO-E , 
(LFIFO-F, c4,) +> LFIFO-F 


ig = LFIFO-E 


Figure 6: Colorings, CTM, and next function of LossyFIFO. Let LFIFO-E 
denote (LSync, FIFO-E), and let LFIFO-F denote (LSync, FIFO-F). 


Definition 16 (Join of CTMs [33]). Let S, and Sy be CTMs over [Ni, li] and 
[No, 12]. Their join, denoted by S; © So, is a CTM over [N; U No, i x I] 
defined as: 


S51 © So = {(i1, t2) > Si (71) . S2(i2) | 41 €, andig € Lb i 


Definition 17 (Join of next functions [33]). Let m1 and nz be next functions 
over S, and S2 defined over [Ni, |] and [No, Ik]. Their join, denoted by 
m © 2, is a neat function over S, © S2 defined as: 


(i1, 12), C1 Ucg (i1, t2) El, x Ib and } 


m @ 2 = { (m1 (i1, €1), 2(i2,€2)) | 1 Uce € ($1 © S2)( (it, é2)) 


Finally, we define the join of CMs in terms of the join of next functions and 
take the pair of the initial states as the initial state of the join. 


Definition 18 (Join of cMs). Let CM, = (m,i}) and CMg = (no, i2) be CMs 
over S; and So. Their join, denoted by CM, ™ CM2, is a CM over S; © So 
defined as: 


CM) DI CMa = (m1 @ 12, (ad, 72)). 


To illustrate the previous definitions, Figure 6 shows the 2CM of Lossy- 
FIFO, whose structure we depicted in Figure 2. In this figure, the index 
of a coloring specifies its origin: a coloring cj; results from joining c; (of 
LossySync) with c; (of FIFO) in Figure 5. Note that this 20M does not 
model the intended behavior of LossyFIFO: its coloring co4 describes the 
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inadmissible loss of data in the case of an empty buffer. Thus, as CA, 2CMs 
seem incapable of modeling context-sensitive connectors. Shortly, we revisit 
this topic. 

The introduction of CMs for Reo stood at the basis of several new 
tools—now part of the EcT—for animation, simulation, and verification of 
Reo connectors. 


3.3.1 Three colors 


In the same publications [28, 29] as those in which Clarke et al. introduce 
2CMs, they introduce CMs with three colors, i.e., 3-coloring models (3CM). 
The difference between 2CMs and 3CMs lies in the instantiation of COLOR: 
when using 3CMs, we replace the no-flow color ---- with the two different 
no-flow colors -~<+- and -+-. Although both these colors indicate that 
the nodes they mark have no flow, they also provide information about the 
reason for this absence: informally, we can think of the former color as 
stating that the nodes it marks require a reason, while we can think of the 
latter color as stating that the nodes it marks provide a reason (e.g., no 
pending 1/0-operation). Apart from this different instantiation of COLOR, 
however, nothing changes: Definitions 9-13 and 14-18 remain the same.?? 

The availability of two no-flow colors allows 3CMs, in contrast to 2CMs, 
to properly model context-sensitive connectors. For instance, in the case 
of LossySync, its 3CM asserts that this connector can lose a data item only 
if its output node receives a reason for an absence of flow by means of the 
following coloring (which replaces cz in Figure 5): 


{ny > —,ngH -<+-}. 


The potential of CMs to satisfactorily model context-sensitivity formed the 
main reason for their investigation and introduction. At the time of the 
first publications on CMs, two colors seemed insufficient for this, while three 
appeared adequate. In [42], however, its authors present an information- 
preserving mapping from 3CMs to 2CcMs, which demonstrates that 2CMs 
actually can describe the behavior of context-sensitive connectors. This 
works as follows. 

Usually, in 2CMs and 3CMs, one represents every conceptual node—a 
node that one would draw in a Reo diagram—with a single concrete node 


?2One may, however, use an optimization called the flip-rule to collapse large coloring 
tables into smaller ones without loss of information. In that case, Definition 14 becomes 
slightly more complex. We refer to [29, 33] for details. 
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in colorings. With two colors, subsequently, one can attribute two different 
behavior alternatives to each conceptual node, e.g., flow or no-flow. However, 
if we represent every conceptual node with two concrete nodes in colorings, 
we can attribute 2? different behavior alternatives to each conceptual node. 
Thus, to encode a 3CM as a 2CM, one should double the number of concrete 
nodes in the 3CM and consistently map every color in the 3CM to a pair 
of colors in the 2cM. Interestingly, such an encoding of three colors using 
two concrete nodes and two colors also has an intuitive meaning [42]. More 
generally, one can attribute 2" behavior alternatives to a conceptual node 
represented by k concrete nodes and using two colors. 

Because we can transform any CM with k > 3 colors to a CM with only 
two colors, we consider only 2CMs in (most of) the rest of this paper. 


3.3.2 Tile models 


In [11] (based on [22]), Arbab et al. introduce tile models for describing the 
behavior of Reo connectors by casting CMs of connectors into tiles. Tiles, 
introduced in [34], extend Plotkin-style inference rules: they describe tran- 
sitions from an initial configuration (if some trigger goes off) to a final 
configuration (producing some effect). Different from such inference rules, 
however, one can compose tiles in three different ways: horizontally (synchro- 
nization), vertically (composition in time), and in parallel (concurrency). 

In [11], Arbab et al. consider Reo connectors hypergraphs and formalize 
these as morphisms in a symmetric monoidal category. Subsequently, these 
morphisms serve as configurations on which tiles operate: Arbab et al. 
describe the behavior of connectors by associating these morphisms with tiles, 
each of which describes one of its possible execution steps. More precisely, 
Arbab et al. first define a series of tiles for many common primitives based 
on their semantics in terms of 2CMs, prove the correctness of these tiles 
(with respect to the corresponding 2cMs), and assert the compositionality 
of these tiles with respect to horizontal and parallel composition. Second, 
Arbab et al. define a series of tiles for a subset of these common primitives 
based on their semantics in terms of 3CMs and assert the correctness (with 
respect to the corresponding 3CMs) and compositionality of these tiles. Note 
that this second series of tiles, i.e., those derived from 3CMs, can model 
context-sensitive connectors. 

Although, as remarked in [61], tile models comprise one of the most 
complete semantic models of Reo connectors, no tools support them. 
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3.4 Other Models 


Process algebra In [47, 48, 49], Kokash et al. define the semantics of 
Reo connectors in terms of processes of the process algebra mCRL2 [35],7° 
an algebra that extends the process algebra ACP [19] with data and time. 
Kokash et al. propose two translations: one based on CA (extended with a 
TCA-style notion of time in [48]) and another based on 3cMs. In [49], Kokash 
et al. prove the correctness and compositionality of their translation from 
CA to mCRL2 specifications and assert similar results for their translation 
from 3CMs to mCRL2. The ECT includes an implementation of this work. 

Because analysis tools, including a model checker, exist for mCRL2 
specifications, we can use the translation from Reo to mCRL2 for verification 
of Reo connectors. In fact, the translation of a 3CM of a connector to its 
corresponding mCRL2 specification formed the only way to verify context- 
sensitive connectors until recently.74 


Constraints In [30, 31, 32], Clarke et al. define the semantics of Reo 
connectors in terms of propositional constraints (but different from the data 
constrains in CA). Initially, in [31], Clarke et al. define each connector in 
terms of four different kinds of constraints: synchronization constraints, data 
flow constraints, state constraints, and external constraints. Synchronization 
constraints describe which nodes can synchronize in some execution step, 
while data flow constraints describe what particular data items flow in such 
a step through which nodes. State constraints describe how the state of a 
connector evolves during its execution, while external constraints capture 
externally maintained state. In [32], Clarke et al. prove the correctness and 
compositionality of this constraint-based approach with respect to CA. 

In [32], Clarke et al. extend their initial approach with contezt con- 
straints for modeling context-sensitive connectors. Similar to how Kokash et 
al. take 3CMs as the basis for their encoding of context-sensitive connectors 
into mCRL2, Clarke et al. base their context constraints on colorings in 
3CcMs. Moreover, Clarke et al. prove the correctness of this context-sensitive 
constraint-based approach with respect to 3CMs. 

In [61], Proenga uses SAT-solvers to execute connectors based on their 
constraint model, and he shows that this approach significantly improves 


23, 


® http://www.mcrl2.org 

24 Another model checker for Reo, called Vereofy [16], operates on CA, which many 
consider incapable of modeling context-sensitivity (see also Section 3.2.1). We discuss 
Vereofy and its ability to model check context-sensitive connectors in Section 7. 
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performance (as compared to the execution of a connector based on its CM). 


Petri nets and intuitionistic temporal linear logic In [27], Clarke 
defines the semantics of nine Reo connectors (including common primitives 
such as Sync, LossySync, and FIFO) in terms of zero-safe nets [23], a special 
class of Petri nets. Different from ordinary Petri nets, zero-safe nets feature 
two types of places: zero places and stable places. When moving from one 
marking to the next, a zero-safe net fires until all tokens occupy only stable 
places. Such an epoch may consist of multiple firings, but those intermediate 
markings wherein some tokens occupy zero places remain unobservable. 


When modeling a Reo connector Conn with a zero-safe net, every epoch 
of this net represents a single execution step. In Clarke’s encoding, zero 
places ensure that the nodes in Conn cannot fire multiple times during a 
single epoch; otherwise, this would correspond to nodes of Conn having data 
flow more than once in a single execution step of Conn, which cannot happen. 
Other comparisons between Reo and Petri nets appear in [7, 50]. 


In [27], Clarke also casts Reo and zero-safe nets into intuitionistic tem- 
poral linear logic. Clarke does this not only for reasoning about coordination 
models, but also to enable more refined behavioral descriptions of connectors 
(e.g., to distinguish internal from external choices). 


Unifying theories of programming In [52], Sun Meng and Arbab de- 
fine the semantics of Reo connectors in terms of the unifying theories of 
programming (UTP) [37]. The UTP can provide a formal semantics for various 
languages, and thus, facilitates the specification of similar features in differ- 
ent languages in a similar style. This enables a straightforward comparison 
and analysis of different languages in the same framework. 

Sun Meng and Arbab model Reo connectors as UTP designs. A UTP 
design comprises a pair of predicates of the form P+ Q with P an assumption 
on the input (of a connector) and Q a commitment about the output (of 
a connector). The predicates P and Q induce sets of admissible tuples of 
timed data sequences: structures that resemble tuples of timed data streams 
(see Section 3.1), but which can have a finite length. 

In [55], Sun Meng et al. use the UTP semantics of Reo for model based 
testing through refinement and test case generation (also based on the work 
presented in [1]). 
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Figure 7: Known relations between semantic formalisms. An arrow from 
of information. 


formalism X to formalism Y means: 
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3.5 Summary 


Figure 7 summarizes the relations between the semantic formalisms discussed 
in this section. 


4 Data-Aware Coloring Models 


As demonstrated in the previous section, constraint automata and coloring 
models influenced and formed the basis of many other classes of semantic 
models: CA inspired at least TCA, PCA, CCA, QCA, RSTCA, TNCA, while CMs 
inspired tile models, the mCRL2 models, and the models based on constraints. 
Formally establishing a correspondence between CA and CMs, therefore, has 
great value: it paves the way for the application of tools and extensions 
devised for CA to CMs and vice versa. 

In this section, we take a first step towards this goal: we make traditional 
CMs data-aware by extending them with constraints similar to those carried 
by transitions in CA. We introduce this extension, because one of the 
transformation operators that we define later in this paper lacks a desirable 
property otherwise: it would map many-to-one instead of one-to-one. More 
precisely, the transformation from CA to CMs would map different CA, namely 
those whose transitions carry different data constraints but equal firing sets, 
to the same cM. Alternatively, to gain this one-to-one property, we could 
have narrowed our scope to PA, which abstract from data constraints (see 
Section 3.2.2). We favor an extension of CMs for generality. 

We add data-awareness to CMs, independently of the number of colors, 
by associating each coloring with a data constraint. Such a constraint 
coloring describes an execution step of a connector wherein data items that 
satisfy the data constraint flow through the nodes marked by the flow color. 
Below we give the formal definition. With respect to notation, we place a ~ 
above those symbols that denote constituents of data-aware CMs (but we 
use the same symbols as for CMs without constraints). 


Definition 19 (Constraint coloring). A constraint coloring ¢ over [N C 
Nove, DC C Dc(N)| ts a pair ¢ = (c,dc) with c a coloring over N and dc € 
DC a data constraint such that dc € Dc(F) with F= {n € N| c(n) = ‘e 
We denote the set of all constraint colorings over |N,DC] by CCoL(N, DC). 


Note that our definition does not exclude a constraint coloring ¢ = (c, dc) 
with inconsistent c and dc. For example, c may mark some node n with the 
no-flow color, while dc entails the flow of some data item through n. We do 
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Figure 8: Constraint CTMs of LossySync and FIFO for DATA = { “foo” }. 


not forbid such constraint colorings, because they do not impair the models 
in which they appear: they merely describe behavior that never arises. 
Next, we incorporate data constraints in the definitions of the other 
constituents of ordinary CMs (as presented in Section 3.3). This turns out 
straightforwardly. To summarize the upcoming definitions: (i) a constraint 
coloring table is a set of constraint colorings, (ii) a constraint CTM is a map 
from indexes to constraint coloring tables, (iii) a constraint next function is a 
map from |index, constraint coloring]|-pairs to indexes, and (iv) a constraint 
CM (CCM) is a [constraint next function, index]-pair, i.e., a data-aware CM. 


Definition 20 (Constraint coloring table). A constraint coloring table T 
over [N C NopDE, DC C Do(N)] is a set T C CCOL(N, DC) of constraint 
colorings over [N, DC]. 


Definition 21 (Constraint CTM). A constraint CTM S over [N C Nope, 
DC C De(N) , ITC INDEX] ts a function S: I e(CCoL(N, DC)) that maps 
an index i to a constraint coloring table S(i) over [N, DC]. 


Definition 22 (Constraint next function). Let iS be a constraint CTM over 
[N,DC,I]. A constraint next function 7 over S is a partial function 7 : 
Ix CCoL(N, DC) — I that maps every [index, constraint coloring]-pair (i, €) 
such that € € S(i) to an index 7(i,€).?° 


Definition 23 (ccm). Let S be a constraint crm over [N,DC, I]. A ccm 
CM over S is a pair CM = (7,19) with 7 a constraint neat function over S and 
io EI. 


To illustrate the previous definitions, Figure 8 shows the constraint 
CTMs of LossySync and FIFO for CoLor = { ,----}. The colorings c; 
with 7 € {1,2,3,4} refer to the colorings in Figure 5. For instance, constraint 
coloring (c1,#n1 = #nz2) in the constraint CTM of LossySync describes the 


>Fven if c and dc in € = (c, dc) are inconsistent. Cf. a transition in a CA labeled with 
aT also goes to some state. 
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execution step of LossySync wherein the same data item flows through n1 
and ng. Constraint coloring (c4, T), describes the “execution step” wherein a 
connector idles. Due to the constraint T, this may always happen. Similarly, 
LossySync can always behave as described by (cg, T), but whereas (c4, T) 
entails no flow at all, (co, T) entails flow through c, and no flow through cg. 
Here, T specifies that we do not care about which data item flows through cj. 
With respect to FIFO, for simplicity of the example, we assume the universe 
of data items a singleton as before (see Section 3.3). 

Finally, we update the join operators for CMs to incorporate data 
constraints. For brevity, we give these definitions only for constraint colorings 
and constraint coloring tables. The join operators for constraint CTMs 
(symbol: ©), constraint next functions (symbol: ®), and CcMs (symbol: 
™&) resemble their respective join operators in Section 3.3: essentially, it 
suffices to replace $1, S2, m, 72, CM1, and CM, in Definitions 16-18 with 
their ~ versions $1, S2, 71, 72, CM,, and CM). We require only these minor 
updates, because our extension of CMs with data constraints affects only the 
definition of colorings directly. For completeness, in Appendix A, we give 
the definitions of the remaining join operators. 


Definition 24 (Join of constraint colorings). Let ¢; = (c1,dc1) and 

C2 = (C2, dc2) be constraint colorings over [N,, DC] and |N2, DC2] such that 
ci(n) = c2(n) for alln € NY ON. Their join, denoted by Uta, is a 
constraint coloring over [N; U No, DC; A DC] defined as: 


Cy Us = (cy U ca, dcy A dc2). 


Definition 25 (Join of constraint coloring tables). Let Ty and Ts be con- 

straint coloring tables over [N,,DC,] and [N2,DC 2]. Their join, denoted by 

T,- T2, is a constraint coloring table over [Ny U No, DC, A DC.] defined as: 

Fare ~~ ~er or = (c1, dc1) € Gn and C2 = (cg dc2) € Ts 

Ty: To = U : . 
ae {a 2 | and c1(n) = co(n) for alln € NiO No 


Note that by taking their conjunction, we combine data constraints in 
Definition 24 in the same way as the join operator for CA in Definition 7. 
The lemmas that we formulate and prove in the subsequent sections establish 
the appropriateness of taking the conjunction of data constraints in the 
context of CMs. 

To illustrate the previous definitions, Figure 9 shows the constraint CTM 
of LossyFIFO. The colorings c; with i € {12, 24, 43, 44} refer to the colorings 
in Figure 6. 
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Figure 9: Constraint CTM of LossyFIFO for Data = {“foo”}. Let LFIFO-E 
denote (LSync, FIFO-E), and let LFIFO-F denote (LSync, FIFO-F). 


We remark that in [61], Proenga uses pairs of colorings and records 
(as in Definition 3) as transition labels of his behavioral automata (see 
Section 3.2.3) to account for the transfer of data that takes place through 
data-flows described by those colorings. This suggests using [coloring, record]- 
pairs as a data-aware CM. However, our constraint-based extension offers 
a more concise formalization. For instance, in Proenga’s model, to give 
the semantics of LossySync, one must include a [coloring, record]-pair in 
its coloring table for each data item in DATA. With our constraint-based 
extension, in contrast, we capture this with a single constraint coloring as 
shown in Figure 8. 


5 From CCMs to CA 


In this section, we present a unary operator, denoted by L, which takes a 
CCM as its input and outputs an equivalent CA; shortly, we elaborate on the 
meaning of “equivalence” in this context. We call this process of transforming 
a CCM to a CA the L-transformation. By defining the L-transformation for 
any CCM, it follows that the class of connectors that we can model with a 
CA includes those that we can model with a ccm. It follows that CA are at 
least as expressive as data-aware CMs. 

Suppose we wish to transform a CCM CM = (7, i9) over S over [N, DC, I]. 
The L-operator derives a CA from CM as follows. First, L instantiates the set 
of states of this derived CA with the set of indexes I: this seems reasonable 
as I denotes the set of indexes that represent the states of the connector that 
CM models. Next, L constructs a transition relation T based on the mappings 
in 7: for each [(i, (c,dc)) + #’] € 7, the L-operator creates a transition from 
state i to state 7’, labeled with dc as its data constraint and with the set of 
nodes to which c assigns the flow color as its firing set. Finally, 79 becomes 
the initial state of the new CA. 
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Definition 26 (L). Let CM = (7, io) be a COM over S over [N, DC, I]. The 
L-transformation of CM, denoted by L(CM), is defined as: 


L(CM) = (I, T, io) 


ee {rae i € Landt = (c,de) € &(s) oh 


and F={neéN|c(n) = 


The proposition below states that the application of L to a CCM yields a CA. 


Proposition 1. Let CM be a CCM over S over [N, DC, I]. Then, L(CM) is a 
cA over [N, DC]. 


Proof. See Appendix B. 


In the rest of this section, we prove the equivalence between a CCM CM 
and the CA that results from applying L to CM. Additionally, we prove the 
compositionality of L. 


5.1 Correctness of L 


In this subsection, we prove the correctness of L: we consider L correct 
if its application to a CCM yields an equivalent CA. We call a CCM and a 
CA equivalent if there exists a bisimulation relation that relates these two 
models. Informally, a CA CA is bisimilar to a CCM CM if, for each mapping in 
the constraint next function of CM, there exists a corresponding transition 
in the CA and vice versa, i.e., a transition that describes the same behavior 
in terms of the nodes that fire, the data items that flow, and the change of 
state. 


Definition 27 (Bisimulation). Let CA = (Q, T,qo) be a CA over [N, DC] and 
CM = (7,70) @ CCM over S over [N, DC, I]. CA and CM are bisimilar, denoted 


as CA ~ CM, if there exists a relation R C Q x I such that (qo,i90) € R and 
for all (q,i) € R: 


(1) If (q, F, dc, q') € T then there exists (11) If [(i,¢) B 7'] € 7 with ¢ = (c, de) 


ant’ € I such that: then there exists aq’ € Q such that: 
e [(i,¢) 6 7] € 7 with € = (c, dc); e (g,F,dc,q’) € T; 
e (Vt) ER; e (7,7) ER; 
e F={nEN|c(n) = ——}. e F={neEN|c(n) = —}. 


In that case, R is called a bisimulation relation. 
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In the previous definition, we compare data constraints syntactically. Alter- 
natively, one can define bisimulation by comparing data constraints logically, 
i.e., in terms of the records that satisfy a data constraint. The latter 
yields a weaker notion of bisimulation than the one formalized in Defini- 
tion 27. Because we can prove the stronger form between a CCM CM and its 
L-transformation L(CM), however, we compare data constraints syntactically. 
In our proof, which appears in the appendix, we choose the diagonal relation 
on the set of indexes as a bisimulation relation. 


Lemma 1. Let CM be a ccoM. Then, L(CM) ~ CM. 


Proof. See Appendix B. 


5.2 Compositionality of L 


We end this section with a compositionality lemma for L. Informally, it 
states that it does not matter whether we first join CCMs CM, and CM) and 
then apply L to the resulting composite or first apply L to CM, and CMp 
individually and then join the resulting transformations; the resulting CA 
equal each other. The relevance of this result lies in the potential reduction 
in the amount of overhead that it allows for when applying the L-operator 
in practice. This works as follows. There exist tools for Reo that operate 
on CA and that have built-in functionality for the computation of their 
join. By the compositionality lemma, for L, to use such a tool, we need to 
transform the common primitives only once, store these in a library, and use 
this library together with the built-in functionality for join computation to 
construct the CA of composites (on which the tool subsequently operates). 
Thus, the overhead of this approach remains constant. In contrast, the 
overhead of the alternative—first joining CCMs and then transforming the 
resulting composites using L—grows linearly in the number of composites 
one wishes to apply the tool on.?° In Section 7, we illustrate the foregoing 
with a concrete example; here, we proceed with the lemma. 


Lemma 2. Let CM; and CMy be coMs. Then, 
IL(CM1) bX L(CM2) = L(CM, x CM2). 


Proof. See Appendix B. 


?6For now, we assume the computation of the join of two CCMs and two CA equally 
expensive. In Section 7, we argue for the merits of our approach when the cost of joining 
ccs differs from the cost of joining CA. 
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Although we consider only CCMs with two colors, one can apply L also 
to CCMs with three colors. In fact, Lemma 1 (correctness) would still hold! 
Essentially, this means that CCMs with three colors do not have a higher 
degree of expressiveness than CCMs with two colors. In contrast, Lemma 2 
(compositionality) does not hold if we consider CCMs with three colors. See 
Appendix B for details. 


6 From CA to CCMs 


In this section, we demonstrate a correspondence between CCMs and CA in 
the direction opposite to the previous section’s: from the latter to the former. 
Our approach, however, resembles our approach in Section 5: we present a 
unary operator, denoted by i. which takes a CA as its input and produces 
an equivalent, i.e., bisimilar, ccM.?’ We call our process of transforming a 
CA to a CCM the i. -transformation and define the j-operator for any CA. 
It follows that the class of connectors that we can model with CA includes 
those that we can model with a CCM. Since the previous section gave us a 
similar result in the opposite direction, we conclude that CCMs and CA have 
the same degree of expressiveness. 
1 


The ; operator works as follows; suppose we wish to transform a CA 


CA over [N, DC]. The ¢-operator derives a CCM from CA as follows: for each 
transition (q, F,dc,q’) in the transition relation of CA, t includes a mapping 
from state g and a constraint coloring € = (c,dc) to state q’, where c assigns 


the flow color to all and only the nodes in F. 


Definition 28 (col). Let N, F.C NopDE. Then: 


ne Nand «= (7 1 ee ee 


ce {n oo ---- otherwise 


Definition 29 (7). Let CA = (Q,T,qo) be a CA over [N,DC]. The 7- 
transformation of CA, denoted by i (CA), is defined as: 


"Recall from Section 3.2.1 (and Footnotes 8 and 9) that, without loss of generality, we 
consider only CA whose transition relations satisfy the following condition: 


(a, Fi, dei, 91), (q, F2, de, q2) € T and qi 4 3 implies (Fi, dei) 4 (F2, de2) 


This condition ensures that we can cast transition relations into transition functions. 
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with: 7 = {(q, (col(N, F), de)) + q'|(q, F, de, q') € T}. 
The proposition below states that the application of t to a CA yields a CCM. 


Proposition 2. Let CA = (Q, T,qo) be a CA over [N, DC]. Then, 7(CA) is 
a ccm over S over |N, DC, Q] defined as: 


S= {qn T| g€ Qand T= {(col(N, F), dc) |(q, F,dc,q’) € T}}. 


Proof. See Appendix B. 


6.1 Inverse 


Having defined i we proceed by proving that it forms the inverse of L (as 
already hinted at by its symbol) and vice versa. We do this before stating the 
correctness and compositionality of i because the proofs of these lemmas 
become significantly easier once we know that t inverts L. The following 


two lemmas state the inverse properties in both directions. 


Lemma 3. Let CM be a ccM. Then, i (L(CM)) = CM. 


Proof. See Appendix B. 


Lemma 4. Let CA be a CA. Then, L(#(CA)) = CA. 


Proof. See Appendix B. 


6.2 Correctness and Compositionality of + 


As mentioned previously, knowing that L(#(CA)) = CA simplifies our correct- 
ness and compositionality proofs. We start with the former. Lemma 5, which 
appears below, states the bisimilarity between CA and its y-transformation 
1 

7 (CA). 


Lemma 5. Let CA be aca. Then, CA~ #(CA). 


Proof. See Appendix B. 


Finally, Lemma 6 states the compositionality of t: informally, this means 
that it does not matter whether we first join CA CA; and CAg and then apply 
+ to the resulting composite or first apply i to CA; and CAg and then join 
the resulting transformations; the resulting CCMs equal each other. Our 
proof, similar to that of the previous lemma, relies on the inverse lemmas. 
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Figure 10: CA obtained by applying L to the encoded 3CCMs, as 2CCMs, of 
LossySync and FIFO for DATA = { “foo” }. 


Lemma 6. Let CA, and CAg be CA. Then, ¢(CA1) & £(CAz) = £(CAy Dt CAg). 


Proof. See Appendix B. 


7 Application 


In this section, we sketch an application of the results presented in Sections 5 
and 6: the integration of verification and animation of context-sensitive con- 
nectors in Vereofy [16], a model checking tool that operates on CA.?° Broadly, 
this application consists of two parts: model checking connectors built from 
context-sensitive constituents and generating animated counterexamples. 


Verification of CCMs’ Vereofy operates on CA, and therefore, many con- 
sider it unable to verify context-sensitive connectors. We mend this deficiency 
as follows. First, recall from Section 3.3.1 that we can transform CMs with 
three colors, known for their ability to properly capture context-sensitivity to 
corresponding CMs with two colors. Because data constraints form an orthog- 
onal concern, this means that CCMs with only two colors can serve as faithful 
models of context-sensitive connectors. Consequently, the results from Sec- 
tion 5 enable the verification of such connectors with Vereofy: using the 
L-transformation, we transform context-sensitive CCMs to context-sensitive 
CA, which we then can analyze with Vereofy. 

As an example, Figure 10 shows the CA obtained by applying L to the 
encoded 3CCMs, as 2CCMs, of LossySync and FIFO. In this figure, 7), 72, and 
m3 denote new concrete nodes that the encoding procedure from 3CCMs to 
2CCMs introduces (see Section 5): each of the pairs (1,71), (n2, 72), (m3, 73) 
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{n1, 3,72}, #n3 = “foo” {ni,n3}, #n3 = “foo” 


{73}, T {n1,T2, M3}, T 


{ni,n2},de 


LFIFO-F 


LFIFO LFIFO-F LFIFO-E 
{ni,n2},de 
with: dc [# ny = #n2 A #n2 “foo” | 


Figure 11: Ca of LossyFIFO obtained by joining the CA in Figure 10. Let 
LFIFO-E denote (LSync, FIFO-E), and let LFIFO-F denote (LSync, FIFO-F). 


of concrete nodes in the CA represents a single conceptual node that one 
would draw in a diagram. Note that abstracting away 71, N2, and 73, yields 
the CA in Figure 3. The left CA in Figure 11 shows the join of the CA in 
Figure 10; the right CA in Figure 11 shows the same CA but with 71, M2, and 
m3 abstracted away. Compared to Figure 4, this CA does not contain the 
transition (LFIFO-E, {n,}, T,LFIFO-E), i.e., it models the context-sensitive 
LossySync rather than its nondeterministic sibling. One can now use Vereofy 
to analyze this cA. Another example appears in [42]. 

In this application, the compositionality of L in Lemma 2 plays an 
important role (as already outlined in Section 5.2): it facilitates the one- 
time-application of L to encoded 3CCMs, as 2CCMs, of Reo’s primitives. 
Subsequently, one can use Vereofy’s built-in functionality for joining CA to 
construct the compound automata that one wishes to analyze. We remark 
that our compositionality lemmas work also in the opposite direction: if 
future studies indicate that joining CCMs costs less than joining CA, we can 
extend Vereofy with a module to automatically (i) transform CA of primitives 
to CMs with i (ii) join the resulting CcCMs, and (iii) transform the resulting 
composite back to a CA with L. (To truly gain in performance, however, 
the costs of transforming forth and back should not exceed the benefits of 
joining CCMs instead of CA.) 


Animation of CA Vereofy facilitates the generation and inspection of 
counterexamples, an important feature that distinguishes it from mCRL2 
(recall from Section 3.4 that, alternatively, we can verify Reo connectors with 
the analysis tools of mcRL2). When used together with the EcT, Vereofy 
can in some cases display counterexamples as connector animations. These 
animated counterexamples comprise a graphical model of a connector through 
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which data items visually flow for each execution step in an error trace. 

Although such animations improve the ease with which Vereofy users 
can analyze counterexamples, the opportunity to actually provide these 
visualizations depends on the availability of a cm of the connector under 
investigation (in addition to the CA that Vereofy’s verification algorithm 
operates on). Moreover, the standalone version of Vereofy, a command-line 
tool, does not facilitate the animation of counterexamples at all. The results 
in Section 6, however, enable animated counterexamples for any CA: in case 
of unavailability of a CA, Vereofy can simply generate such a model with the 
z-transformation. 


8 Conclusion 


In this paper, we gave an overview of all the existing semantic formalisms for 
modeling Reo connectors. Furthermore, we showed that once extended with 
data constraints, coloring models with two colors and constraint automata 
have the same degree of expressiveness by defining two operators that 
transform such data-aware CMs to corresponding CA and vice versa. Moreover, 
we showed the compositionality of these operators. Though primarily a 
theoretical contribution, we illustrated how our results can broaden the 
applicability of Reo’s tools. 

With respect to future work, we would like to implement the transforma- 
tion operators and the sketched extension to Vereofy. Another application 
worth investigating comprises the development of an implementation of 
Reo based on transforming behavioral models of connectors back and forth 
to improve performance. Finally, we would like to study correspondences 
between other classes of semantic models. 
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A Appendix: Composition Operators 


In this appendix, we give the formal definitions of the join operators whose 
definition we gave only informally in Section 4. More specifically, we give 
the definitions of the join operators for constraint CTMs, constraint next 
functions, and ccMs. The definitions of the join operators for constraint 
colorings and constraint coloring tables appear in Section 4. As mentioned 
in that section, we obtain the operators that we define below by replacing 
S1, Se, 71, N2, CM1, and CM in Definitions 16-18 with their ~ versions. 


Definition 30 (Join of constraint CTMs). Let Ss and So be constraint CTMSs 
over [Ni, DC, i] and [No, DC2, In]. Their join, denoted by S16 Se, is a 
constraint CTM over |N, U No, DC, A DC, I, x In} defined as: 


S31 © S> = { (ii, t2) > S1 (i1)* So(i2) | 41 €, andig EC Lb 3 


Definition 31 (Join of constraint next functions). Let m and 72 be con- 
straint next functions over Si and So over [Ni, DCi, | and [N2, DC2, b). 


Their join, denoted by 7, Qi, is a constraint next function over S1 © Sy 
defined as: 


7 (é1, i2),€, UE, (1,12) Eh xh 
m2 = tt: 7 _and_ 
(m (71, €1), N2(%2, €2)) | €1 U2 € (S1 © Sa) ((é1, 22)) 


Definition 32 (Join of coms). Let CM, = (m1, ip) a and CMy = (ij2,72) be CCMs 


over Si and Ss. Their join, denoted by CM, SaCMy, is a@ CCM over io © So 
defined as: 


CM, SaCM> _ (m @ Na, (i9, 19))- 
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B Appendix: Proofs 


Proof of Proposition 1 (L is well-defined). By Definition 26 of L, we must 
show that L(CM) = (I, T,i9) is a CA over [N, DC]. To demonstrate this, by 
Definition 5 of CA, we must show that T C Ix g(N) x DC x I. Now, suppose 
CM = (7j,i9). Because, by the premise, CM is a CCM over S over [N, DC, I], 
by Definition 22, the co-domain of 7 is I. Also, by Definition 26, for all 
(i, F, dc, n(i,¢)) € T with c = (c, dc), it holds that 7 € I, FC N, and dc € DC 
(this latter follows from Definition 19). 


Proof of Lemma 1 (correctness of L). Suppose CM = (7, ig) over [N, S| over 
[N, DC, I]. Additionally, suppose L(CM) = (I, T,i9). We show that R = 
{(i,7) |¢ € I} is a bisimulation relation by demonstrating that it satisfies (1) 
and (11) in Definition 27. Let (i,i) € R. 


(1) Suppose (i, F,dc,i") € T. Then, by Definition 26 of L, there exists a 
¢€ = (c,dc) € S(t) such that 7’ = 7(i,€). Hence, [(i,¢) +> 7] € 7. Also, 
by the definition of R, (i’,i’) € R. Finally, by Definition 26 of L, 
F={neéEN|c(n)= \. Therefore, R satisfies (1). 


(11) Suppose [(7,¢) +> #] € 7 with ¢ = (c,dc). Then, by Definition 22 
of 7, it holds that 7 € I and c € S(7), hence by Definition 26 of L, 
(i, F,dc,v’) € T with F = {n € Nic(n) = }. Also, by the 


definition of R, (i’,i’) € R. Therefore, R satisfies (11). 


Thus, R satisfies (1) and (11). Moreover, because ig € I by Definition 23, 
(io,i0) € R. Hence, R is a bisimulation relation. Therefore, L(CM) ~ CM. 


Proof of Lemma 2 (compositionality of L). Suppose CM, = (m,%9) and 

CMs = (jj, i2) over S, and Sy. Applying Definition 26 of L to the left-hand 
side (LHS) and Definition 32 of & (informally on page 231) to the right-hand 
side (RHS) yields: 
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(h, Fixth) bd (hb, To, i2) 


(t1, 12), C1 UC. (i1, t2) — i x In 
L I _and | 1.9) 
(m1 (i1, C1), Me(t2,€2)) | € Ues € (Si © S2)((i1, t2)) 


741 € ; and C1 — (c1, dc1) E S1(i1) 
and Fy = {ne N,|ca(n) = } 


dg € Ib and © — (c2, dcez) € S1 (72) 
and Fy = {n € No|co(n) = } 


with: T; = { (iu Fisder,th(in.%) 


and: Tz = { (in, Foden fl in.%) 


Applying Definition 7 of > (to LHS), and Definition 26 of L (to RHS) yields: 
(h x hh, a (ig, 43) = (h x b, T, (ig, 3) 


(i1, Fi, dei, *4) — Th and 
with: T= ¢ ((i1, i2), Fi U Fe, der A dea, (i, 74)) | (ta, F2, dco, ih) € Tz and 
PLN Ng = FLO Ni, 


7€ 1, x Ib and 


and: T’ = ¢ (i, F, de, (71 ® 72) (4,0) | € = (c, de) € (S, © 82) (i) and 
F={n€N,UNg|c(n) = } 


What remains to be shown is T = 7’. This follows from Figure 12. 


Interestingly, Lemma 2 (compositionality) does not hold if we consider 
CCMs with three colors: the fourth—counted from top to bottom—equality in 
Figure 12 on page 249 (“Because, by the definition of Fy and F...”) becomes 
invalid if we consider CCMs with three colors. This means that, although 
CCMs with two and three colors have the same degree of expressiveness, they 
compose differently: paradoxically, the addition of a third color restricts, as 
intended, the number of compatible colorings. This restriction allows one 
to model context-sensitive connectors compositionally with three colors: it 
serves as a filter for nondeterministic behavior that should not occur due to 
context-sensitivity. 


Proof of Proposition 2 (t is well-defined). By Definition 29 of Lt we must 
show that +(CA) = (77,0) is a CCM over S. To demonstrate this, by Defini- 


tion 23 of CCM, we must show that 7) is a constraint next function over S. 
First, by Definition 28, all colorings that occur in the domain of 7 have N as 
their domain. Next, by Definition 29, all indexes that occur in the domain 
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T 
= /* By the definition of T in Lemma 2 , 
{((i1, 2), Fi U Fo, dey A deg, (i, 74)) \(i1, Fi, dei, i) € Ty and (iz, F2,de2, 15) € Tz and Fy M No = Fz Ni } 
= /* By the definitions of 7; and Tz in Lemma 2, and by introducing i = (71,72) , 
iy € and = (cy, de) € Si (is) and i, = m(i1,€1) and Fy = {n € Ni |c1(n) = ——} and 
fin U Fa, der A dea, (14,44) | ig € Ip and & = (cp, de) € S2(iz) and ib = No(i2,€2) and Fy = {n € N2|co(n) = —— } and 
F, No = F201 N, and i = (i, 72) 
= /* Because, by the Cartesian product, [i1 € I; and ig € J] iff (1,12) eh x hb . 
G1 = (c1,de1) € $,(i,) and #4, =m (41,61) and Fy = {n € Ni | c1(n) = ——} and 
fon UF), dey A deg, (i, %)) | G = (ce, dea) € So(ég) and iS = Mo(t2,€) and Fp = {n € N2|c2(n) = —— } and ! 
FLO Ng = F2NN, andi = (i1,72) Eh x bh 
= /* Because, by the definition of Fy and F2 in Lemma 2, [Fy 1 No = F21 Nj] iff [{n € NiO No|a(n) = }={neNn 
Np | c2(n) = }], and because, as c and cy are 2-colorings, [{n € Ny N N2|ci(n) = —— } ={n © N,N Nog|co(n) = —— }} iff 
ci(m) = c2(n) for all n € Ni N No] 
1 = (c1, dey) € Si (is) and i, = m(i1,€1) and Fy = {n € Ny | c1(n) = ——} and 
fon U Fy, dey A deg, (i, %)) | = (cz, dex) € So(iz) and iS = Mo(i2,) and Fy = {n € N2|c2(n) = —— } and ! 
[c1(n) = c2(n) for all n € N,N Ng] and i = (i), i2) Eh x bh 
= fs Because, by Definition 25 of * [Er = (c1,de,) € Sy(i,) and €2 = (c2,dce2) € So(iz) and cj(n) = co(n) for all n € N, 1 No] iff 
€ Ute € S1(i1)* So(i2)] , 


= (cy, de;) and #4 = m(i1,€1) and F, = {n € N,|ci(n) = —— } and 
fon U Fy, dey A deg, (i, 14)) | C2 = (C2, dea) and 7 = To(t2,€2) and Fy = {n € N2|co(n) = ——} and 
G Ute € Sy (i1)*So(ig) and i = (i, i2) Eh x bh 
= /* By Definition 30 of ¢ aes on page 231) , 
= (cy, de;) and i = m(i1,¢1) and F, = {n € N,|ci(n) = —— } and 
fon U Fp, dey A deg, (i, 14)) a2 = (C2, deo) and i = 72(i2,C2) and Fy = {n € N2|c2(n) = —— } and 


GUE (Sy 55)(i) and i = (ij,i2) € x b 
* Because, by Definition 31 of é (informally on page 231), [i = (i1,i2) € I, x bh and (UG € (S16 52) (i) and i, = m(i1,€1) and 
i = M2(i2, €2)] iff (24,74) = (mm ae i, €1 U2) 
= (c1,de1) Fy = {ne Ni |ci(n) = —— } and 
{ i, Fy U Fe, der A dea, (i4, 14) S = (c2,de2) and Fy = {n € Ng|c(n) = —— } and ! 
G1 Ut € ($1 6 S)(i) and i € hy x band (4,14) = (7 B®) (i, OG) 
* By introducing F = F) U F2, and by applying 4,45) =(m ® Ho) (i, € UE) 
= (ci, dc,) and € = (cz, dce2) and 
i, F,de, A deg, (1 ® tp) (4,G UE)) Fe {ne N,UN2|c1(n) = or c2(n) = —— } and 
{ G1 Oe € ($15 &)(i) andieh xh ! 
= /* Because, by Definition 14 of U, [ci(n) = or co(n) = ——] iff [(c, Uce)(n) = ——], and by applying (c,de) =€ = 0G = 
c1 Uce, dei A de2) 
{(i, F, de, (ii ® 7) (i,©) | F = {n € Ny UNg|c(n) = ——} and é= (¢, de) € ($1 O Sy)(i) and ie x bh} 
= /* By the definition of 7’ in Lemma 2 
T 


Figure 12: Proof: T= T. 


and co-domain of 7 are states that appear in elements of the transition 
relation T; therefore, by Definition 5, all indexes come from Q. Similarly, by 
Definition 29, all data constraints that occur in the domain of 7 also appear 
in elements of T, hence come from DC. Finally, by Definition 22, we must 
show that 7) maps every (7,c) such that c € S(i) to an index in Q. This 
follows from Definition 29 and the definition of S$ in the premise. 


Proof of Lemma 3 (left-inverse se for L). Suppose CM = (7, ip) is defined over 
S over [N, DC, I]. Then, ¢(L (CM)) = CM follows from Figure 13. 
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E(L(GM)) 

By Definition 26 of L, and because CM is defined over S, which is defined over [N, DC, I 
LCL T,io)) with T as in Definition 26 

By Definition 29 of =, and because L(CM) is a CA over [N, DC] by Proposition 1 

({(é, (col(N, F),dce)) + i’ |(i, F,de,7’) € T},i9) with T as in Definition 26 


*S, Because (i, F,dc, i’) € T iff [i € Tand¢ c,dc) € S(q) and F={n € N|c(n) = —— } and i’ = 7(i,¢)] by Definition 26 of L 
({(i, (co1(N, F),dc)) + H(i,€) |i € Land € = (c,de) € S(é) and F = {n € N|c(n) = —— }}, io) 
= Because c = col(N, F) iff F= {n € N|c(n) } by Definitions 9 and 28 


({(i, (c,de)) + Hi, |i € Land € = (c, de) € S(é) }, i) 
= By Definitions 22 and 23 
(7), i9) = CM 


Figure 13: Proof: i (L(CM)) = CM. 


Proof of Lemma 4 (right-inverse for L). Suppose CA = (Q, T, qo) is defined 
over [N, DC]. Then, L(#(CA)) = CA follows from Figure 14. 


Proof of Lemma 5 (# is correct). Suppose CM = z(CA). Then, CA ~ #(CA) 
iff L(¢(CA)) ~ ¢(CA) iff L(CM) ~ CM by Lemma 4. The latter follows from 
Lemma 1. 


Proof of Lemma 6 (compositionality of t ). Follows from Figure 15. 
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L(z(CA)) 
* By Definition 29 of ;, and because CA = (Q, T, qo) is a CA over [N, DC] by the premise of Lemma 4 , 
L((f,qo)) with 7 = {(g, (COUN, F),de)) + 4! |(q, F. de, q) € T} 


= /* By Definition 26 of L, and for 77 is defined over S= {q+ T|q € Q and T= {(col(N, F), de) |(q, F, de, q’) € T}} by Proposition 2 
(Q, T’, qo) with: 
e T ={(q,F de, (4,0) |q € Q and € = (c, de) € S(q) and F= {n € N|c(n) = —— }} 
¢ 7 = {(q, (col(N, F), de)) + q'|(q, F, de,q') € T} 
e S={qh T|q€ Qand T= {(col(N, F), de) |(q, F,de,q') € T}} 
= /* By introducing q! = 7(q,€) in T 
(Q, T’, qo) with: 
e T= {(q,F,de,7)|q € Qand €= (c,de) € S(q) and F= {n € N|c(n) = ——} and d' =7(q.0 } 
© 7 = {(q, (col(N, F),de)) > d' \(q, F.de,q') € T} 
© S={qH T|q€ Qand T = {(col(N, F), dc) |(q, F,de,q) € T}} 


* Because, by the definition of 5, [E = (cde) € S(q) iff [(q, F', de, q") € T and c = col(N, F’) 
(Q, T',40) with: 
e T= {(¢,F,dc,q')|q € Q and (q, F, de, q’) € T and ¢ = col(N, F) and F= {n € N|c(n) 


— } and q! = (4, (c.de)) } 


© 7 = {(q, (col(N, F),de)) + q' \(q, F.de,q') € T} 
* By applying c = col(N,F’) , 
e T= {(¢,F,dc,q')\q € Q and (gq, F, de, q’) € Tand F= {n € N|(col(N, F’))(n) = —— } and q = 7(q, (col(N, F’), de)) } 
© 7 = {(q, (col(N, F),de)) > ' \(q, F.de,q') € T} 
Because, by Definition 28 of col, {n € N|(col(N, F’))(n) = ——}=F 


(Q, T, qo) with: 
T ={(q,F,de,q')|q € Q and (q, F’,de,q”) € Tand F= F and qd = 7(q, (col(N, F’), de)) } 
¢ 7 = {(q, (col(N, F), de)) + q'|(q, F, de,q') € T} 
By applying F = F” 
T’,qo) with: 
e T= {(¢,F.de.q’)|q € Qand (q, F,de,q") € T and q! = 7(q, (co1(N, F’), de)) } 
© 7 = {(q, (col(N, F), de)) + q |(q, F, de,q') € T} 
* Because, by the definition of 7, q’ = 7(q, (col(N, F’), de)) iff (q, F',dc,q') € T 
(Q, T, qo) with T = {(q, F,de, 7) |q € Q and (q, F’,de,¢q") € T and (q, F',de,q’) € Th} = T 
= /* By the definition of CA 


Figure 14: Proof: L(#(CA)) = CA. 


L(CA1) ba £(CAz) 

* By the inversion of L by + in Lemma 3 , 
L(L(#(CA1) 8 (CAg))) 

* By the compositionality of Lin Lemma 2 
E(L(z(CA1)) os L(Z(CA2))) 

* By the inversion of + by L in Lemma 4 , 
L(CA1 bt CAg) 


Figure 15: Proof: ¢(CA1)p(CA2) = ¢(CA1 XI CAg). 
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